OWASP 2025 Global AppSec EU

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.

The Training starts with a view of DevSecOps and AppSec Automation, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Privacy is hot! This course will teach you this in-demand skillset and give you hands-on experience with privacy challenges, guiding you to combine Privacy by Design with your security practice.

Our lives are becoming more and more digitized, resulting in a lot of personal data floating around in the cloud. Now, many organizations are keen to use personal data for marketing, personalization or monetization, however, all this personal data comes with increased risk and surprising impact. Noone wants to find out that their daughter is pregnant from the department store ads…

Moreover, data protection legislation is forcing companies to integrate a technical approach for privacy into system design. With ever higher demands for privacy-respecting products, security teams have implicitly gained additional responsibilities and are hard pressed to keep up with these emerging requirements and often feel like there is a substantial and growing skills gap. Incorporating privacy into security with a proactive approach is essential to addressing this!

Traditional security approaches have historically not focused on this aspect of data protection, leaving individuals at risk. While common compliance and governance aspects of privacy are important, the technical aspects of privacy engineering are substantially more challenging - and that is the primary focus of this course.

This interactive technical course will teach you privacy analysis skills that are valuable to security teams. You can leverage your existing security skills with just a shift of mindset, since privacy largely shares the same foundation as security. We will teach you how common security techniques, such as architecture specification, threat modeling, and mitigation design, can be adapted for privacy. You will learn to capture how sensitive data flows through the system, and identify and mitigate high impact privacy issues in the software system. This will enable you to build privacy into the core of the product design and development process, while aligning it efficiently with security practices.

The course will cover these main topics:
- Privacy engineering essentials
- Privacy architecture & feature analysis
- Data inventory, mapping, and tagging
- Privacy threats (e.g. LINDDUN)
- Privacy controls, mitigations, and technologies
- Full privacy process

Each of these topics will be taught in an engaging, interactive format, with plenty of hands-on, collaborative exercises. We will teach you both the technical skills and social aspects essential for successful privacy engineering. This will include an assortment of relevant scenarios for each module, realistic simulations of popular upcoming features, diagramming tasks, and open debates. You will gain confidence using proven design techniques in order to improve the privacy posture of your system. In each module, you'll gain hands-on privacy experience through a set of exercises and class discussions.

We received rave reviews on our previous delivery of this course, for example:
- "If you're looking for a challenging, in-depth Privacy course which focuses on the technical aspects, look no further. Yes, it's only a 2-day course, but during that time, you'll take a deep dive into threat modelling, architecture, and other aspects required for ensuring Privacy is included in the SDLC."

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.

This three-day hands-on course teaches penetration testers, developers and engineers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA). The foundation for this will be the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source mobile security testing book that covers both, iOS and Android and provides a methodology and very detailed technical test cases to ensure completeness and use the latest attack techniques against mobile applications. This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.

Detailed outline

Day 1: We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium.

Topics include:

- Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida
- Frida crash course to get started with dynamic instrumentation on Android apps
- Bypass different implementations of SSL pinning using Frida
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms
- Day 1 will be closed with a Capture the Flag (CTF)

On day 2 we start with applying our new skills to a real world app and wrap up the Android part and start with iOS. We will use a Github repo that will allow us to execute static scanning, SCA and secret scanning on Kotlin and Swift:

Android:

- Attacking a real world app and overcome it's protection mechanisms.
- Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)
- Using Brida (Frida and Burp) to bypass End2End encryption in an Android App
- Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives
- Scanning for secrets in an APK

iOS:

- Introduction into iOS Security fundamentals
- Scanning for secrets in a Swift repository and identifying ways to handle them securely.
- Software Composition Analysis (SCA) for iOS - Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies.
- Demonstration on how to test watchOS apps and it's limitations
- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.

Day 3 focuses on iOS. We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including:

- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP
- Examining stateless authentication (JWT) in a mobile app
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored.
- Testing methodology with a non-jailbroken (jailed) device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism

We'll wrap up the final day with a CTF and participants can win a prize!

Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture.

Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

What students should bring

The following requirements must be met by students in order to be able to follow all exercises and participate fully:

- Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space.
- Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR)
- Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3/M4 MacBooks) with all tools required for the training.
- Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions.

An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

What students will receive

- Slide deck and labs for the iOS and Android training as PDF and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Docker Containers with the APIs the apps were communicating with.
- Detailed write-ups for all labs so you can review them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Printed hand-out of the Labs

What prerequisites should students have before attending this training?

- This course is for Beginners and Intermediate
- Basic understanding of mobile apps
- Able to use Linux command line